centos7.4安装jumpserver堡垒机

centos7.4安装jumpserver堡垒机

官网：http://docs.jumpserver.org/zh/docs/step_by_step.html

一、修改字符集
[root@iZbp150ikdomqe3b32qaubZ ~]# localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8
[root@iZbp150ikdomqe3b32qaubZ ~]# export LC_ALL=zh_CN.UTF-8
[root@iZbp150ikdomqe3b32qaubZ ~]# echo 'LANG=zh_CN.UTF-8' > /etc/locale.conf 
注：修改字符集，否则可能报input/output error的问题，因为日志里打印了中文

二、准备Python3和Python虚拟环境

2.1 安装依赖包
[root@iZbp150ikdomqe3b32qaubZ ~]# yum -y install wget sqlite-devel xz gcc automake zlib-devel openssl-devel epel-release git

2.2 编译安装
[root@iZbp150ikdomqe3b32qaubZ ~]# cd /opt && wget https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
--2018-06-05 10:14:07--  https://www.python.org/ftp/python/3.6.1/Python-3.6.1.tar.xz
正在解析主机 www.python.org (www.python.org)... 151.101.228.223, 2a04:4e42:11::223
正在连接 www.python.org (www.python.org)|151.101.228.223|:443... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：16872064 (16M) [application/octet-stream]
正在保存至: “Python-3.6.1.tar.xz”

100%[===================================================================================================================================================>] 16,872,064  1.63MB/s 用时 8.0s   

2018-06-05 10:14:17 (2.02 MB/s) - 已保存 “Python-3.6.1.tar.xz” [16872064/16872064])

[root@iZbp150ikdomqe3b32qaubZ opt]# tar axf Python-3.6.1.tar.xz && cd Python-3.6.1
[root@iZbp150ikdomqe3b32qaubZ Python-3.6.1]# ./configure && make && make install
注：这里必须执行编译安装，否则在安装 Python 库依赖时会有麻烦。如果编译失败，请记得使用命令：make clean all
提示有如下内容，则表示编译成功。
Successfully installed pip-9.0.1 setuptools-28.8.0

2.3  建立Python虚拟环境
因为CentOS6/7自带的是Python2，而Yum等工具依赖原来的Python，为了不扰乱原来的环境我们来使用Python虚拟环境。
[root@iZbp150ikdomqe3b32qaubZ Python-3.6.1]# cd /opt
[root@iZbp150ikdomqe3b32qaubZ opt]# python3 -m venv py3
[root@iZbp150ikdomqe3b32qaubZ opt]# source /opt/py3/bin/activate
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]#
注：看到上面的提示符代表成功，以后运行Jumpserver都要先运行以上source命令，以下所有命令均在该虚拟环境中运行。

2.4 自动载入Python虚拟环境配置
此项仅为懒癌晚期的人员使用，防止运行 Jumpserver 时忘记载入 Python 虚拟环境导致程序无法运行，使用autoenv。
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# cd /opt
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# git clone git://github.com/kennethreitz/autoenv.git
正克隆到 'autoenv'...
remote: Counting objects: 671, done.
remote: Total 671 (delta 0), reused 0 (delta 0), pack-reused 671
接收对象中: 100% (671/671), 103.92 KiB | 107.00 KiB/s, done.
处理 delta 中: 100% (356/356), done.
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# echo 'source /opt/autoenv/activate.sh' >> ~/.bashrc
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# source ~/.bashrc

三、安装jumpserver

3.1 下载或clone项目
项目提交较多 git clone 时较大，你可以选择去 Github 项目页面直接下载zip包。
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# cd /opt/
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# git clone https://github.com/jumpserver/jumpserver.git
正克隆到 'jumpserver'...
remote: Counting objects: 29164, done.
remote: Compressing objects: 100% (290/290), done.
remote: Total 29164 (delta 319), reused 389 (delta 234), pack-reused 28613
接收对象中: 100% (29164/29164), 39.90 MiB | 409.00 KiB/s, done.
处理 delta 中: 100% (20110/20110), done.

(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# cd jumpserver && git checkout master
已经位于 'master'

(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# echo "source /opt/py3/bin/activate" > /opt/jumpserver/.env
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/jumpserver/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/jumpserver/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
注：进入jumpserver目录时将自动载入python 虚拟环境，首次进入jumpserver文件夹会有提示，按y即可。

3.2 安装rpm依赖包
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/jumpserver/requirements/
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# yum -y install $(cat rpm_requirements.txt)
注：如果没有任何报错，则继续。

3.3 安装python库依赖
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# pip install -r requirements.txt
注：如果没有任何报错，则继续。

You are using pip version 9.0.1, however version 10.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
最后提示的内容如上，不知道是否有有错误，暂时待定，继续执行！

3.4 安装redis
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# yum install -y redis
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# systemctl start redis
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# ps -ef | grep redis
redis    21565     1  0 10:39 ?        00:00:00 /usr/bin/redis-server 127.0.0.1:6379
root     21569  4598  0 10:39 pts/0    00:00:00 grep --color=auto redis
注：jumpserver 使用 Redis 做 cache 和 celery broke

3.5 安装mysql
本教程使用Mysql作为数据库，如果不使用Mysql可以跳过相关Mysql安装和配置。
由于本次实验的机器是centos7系统，所以安装的是mariadb数据库。
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# yum -y install mariadb mariadb-devel mariadb-server
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# systemctl start mariadb
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# ps -ef | grep mariadb
mysql    21874 21709  1 10:42 ?        00:00:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --plugin-dir=/usr/lib64/mysql/plugin --log-error=/var/log/mariadb/mariadb.log --pid-file=/var/run/mariadb/mariadb.pid --socket=/var/lib/mysql/mysql.sock
root     21914  4598  0 10:42 pts/0    00:00:00 grep --color=auto mariadb
注：如果当前系统是centos6，则执行如下命令：yum -y install mysql mysql-devel mysql-server

3.6 创建数据库jumpserver并授权
MariaDB [(none)]> create database jumpserver default charset 'utf8';
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all on jumpserver.* to 'jumpserver'@'127.0.0.1' identified by 'zhangyike@123';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> select user,host from mysql.user;
+------------+-------------------------+
| user       | host                    |
+------------+-------------------------+
| jumpserver | 127.0.0.1               |
| root       | 127.0.0.1               |
| root       | ::1                     |
|            | izbp150ikdomqe3b32qaubz |
| root       | izbp150ikdomqe3b32qaubz |
|            | localhost               |
| root       | localhost               |
+------------+-------------------------+
7 rows in set (0.00 sec)

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| jumpserver         |
| mysql              |
| performance_schema |
| test               |
+--------------------+
5 rows in set (0.00 sec)

3.7 安装python3 mysql驱动: mysqlclient
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# pip install mysqlclient
Requirement already satisfied: mysqlclient in /opt/py3/lib/python3.6/site-packages
You are using pip version 9.0.1, however version 10.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# echo $?
0
注：由于MySQLdb库不支持python3.5+，所以选择了mysqlclient作为驱动,pymysql使用python写的，速度较慢。

3.8 修改jumpserver配置文件
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# pwd
/opt/jumpserver
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cp config_example.py  config.py
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# vi config.py 
class DevelopmentConfig(Config):
    DEBUG = True
    DB_ENGINE = 'mysql' 
    DB_HOST = '127.0.0.1'
    DB_PORT = 3306
    DB_USER = 'jumpserver'
    DB_PASSWORD = 'zhangyike@123'
    DB_NAME = 'jumpserver'

class TestConfig(Config):
    pass    

class ProductionConfig(Config):
    pass    

# Default using Config settings, you can write if/else for different env
config = DevelopmentConfig()

3.9 生成数据库结构和初始化数据
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/jumpserver/utils
(py3) [root@iZbp150ikdomqe3b32qaubZ utils]# bash make_migrations.sh 
注：如有一下提示，则执行成功。如果执行失败，请先执行：bash clean_migrations.sh
Applying perms.0001_initial... OK
Applying perms.0002_auto_20180605_1103... OK
Applying sessions.0001_initial... OK
Applying terminal.0001_initial... OK
Applying terminal.0002_auto_20180605_1103... OK

3.10 启动jumpserver
方法一：
(py3) [root@iZbp150ikdomqe3b32qaubZ utils]# cd /opt/jumpserver/
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# ./jms start all 
注：
后台运行使用 -d 参数./jms start all -d
运行不报错，请浏览器访问 http://47.97.97.124:8080/(在这里使用默认对外的端口为8080) 
默认账号: admin 密码: admin 页面显示不正常先不用处理，搭建nginx代理就可以正常访问了。
jumpserver重启：(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# ./jms restart
经过我的测试，这个时候是访问不了的，当然不用急，操作还未结束！

方法二：
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/jumpserver/
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# python run_server.py

四、安装SSH Server和WebSocket Server: Coco

4.1 下载或clone项目
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# source /opt/py3/bin/activate   #切莫忘记执行
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# git clone https://github.com/jumpserver/coco.git && cd coco && git checkout master
正克隆到 'coco'...
remote: Counting objects: 1462, done.
remote: Compressing objects: 100% (81/81), done.
remote: Total 1462 (delta 120), reused 152 (delta 105), pack-reused 1276
接收对象中: 100% (1462/1462), 336.00 KiB | 167.00 KiB/s, done.
处理 delta 中: 100% (1021/1021), done.
已经位于 'master'
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# echo "source /opt/py3/bin/activate" > /opt/coco/.env
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# cd /opt/coco/
autoenv:
autoenv: WARNING:
autoenv: This is the first time you are about to source /opt/coco/.env:
autoenv:
autoenv:   --- (begin contents) ---------------------------------------
autoenv:     source /opt/py3/bin/activate$
autoenv:
autoenv:   --- (end contents) -----------------------------------------
autoenv:
autoenv: Are you sure you want to allow this? (y/N) y
注：进入coco目录时将自动载入python虚拟环境，首次进入coco文件夹会有提示，按y即可。

4.2 安装依赖
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# cd /opt/coco/requirements/
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# yum -y  install $(cat rpm_requirements.txt)
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# pip install -r requirements.txt -i https://pypi.org/simple

4.3 查看配置文件并运行
(py3) [root@iZbp150ikdomqe3b32qaubZ requirements]# cd /opt/coco
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# cp conf_example.py conf.py
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# ./cocod start -d
Start coco process
注：
1 如果coco与jumpserver分开部署，请手动修改 conf.py
2 ./cocod start  # 后台运行使用 -d 参数./cocod start -d
3 新版本更新了运行脚本，使用方式./cocod start|stop|status|restart 后台运行请添加-d参数

由于此处coco与jumpserver是分开部署的，所以需要修改conf.py文件，具体操作如下：
修改前：
# Jumpserver项目的url, api请求注册会使用
# CORE_HOST = os.environ.get("CORE_HOST") or 'http://127.0.0.1:8080'
修改后：
#Jumpserver项目的url, api请求注册会使用
CORE_HOST = os.environ.get("CORE_HOST") or 'http://47.98.97.124:8080'

重启coco与jumpserver
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# ./cocod restart
Stop coco process
Start coco process

[root@iZbp150ikdomqe3b32qaubZ ~]# cd /opt/jumpserver/
(py3) [root@iZbp150ikdomqe3b32qaubZ jumpserver]# ./jms start all -d
提示如下内容表示启动成功
gunicorn is running: 23269
celery is running: 23286
beat is running: 23287

启动成功后去Jumpserver，会话管理-终端管理（http://47.98.97.124:8080）接受coco的注册

测试界面如下：

五、安装 Web Terminal 前端: Luna
Luna 已改为纯前端，需要 Nginx 来运行访问
(py3) [root@iZbp150ikdomqe3b32qaubZ coco]# cd /opt
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# wget https://github.com/jumpserver/luna/releases/download/1.3.0/dist.tar.gz

(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# tar axf dist.tar.gz 
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# mv dist luna
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# ls /opt/luna/

注：由于没有windows服务器管理，所以不需要安装guacamole

六、配置Nginx整合各组件
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# yum -y install nginx
(py3) [root@iZbp150ikdomqe3b32qaubZ opt]# cd /etc/nginx/
(py3) [root@iZbp150ikdomqe3b32qaubZ nginx]# cp nginx.conf.default  nginx.conf
(py3) [root@iZbp150ikdomqe3b32qaubZ nginx]# vi nginx.conf
user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

#access_log  logs/access.log  main;

sendfile        on;
#tcp_nopush     on;

#keepalive_timeout  0;
keepalive_timeout  65;

#gzip  on;


server {

    listen 80;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    location /luna/ {
        try_files $uri / /index.html;
        alias /opt/luna/;
    }

    location /media/ {
        add_header Content-Encoding gzip;
        root /opt/jumpserver/data/;
    }

    location /static/ {
        root /opt/jumpserver/data/;
    }

    location /socket.io/ {
        proxy_pass       http://47.98.97.124:5000/socket.io/; 
        proxy_buffering off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location / {
        proxy_pass http://47.98.97.124:8080;  
    }
}

}

测试：http://47.98.97.124,这时可以正常访问jumpserver啦！！！